[INVALID] subdomain detection is broken

[camputa]

Consider two sites:

http://www.pm.gov.au
http://www.nt.gov.au

Why would the noscript menu show "allow pm.gov.au" for the first, but "allow http://www.nt.gov.au" for the second? It can't seem to figure out what is a subdomain.

Checked with a fresh installation of noscript, default settings.

[camputa]

No, the forum broke my post.

Noscript shows the 3-level domain pm . gov . au for the first, but the 4-level domain www . nt . gov . au for the second. Bug.

[Giorgio Maone]

Looks like NoScript judment is correct:

The use of .gov.au and .edu.au is also split up into further state-based categories. State governments and schools use a domain name that reflect their locale, and these state-based third-level domains are managed independently by the states.

For example [...]Northern Territory would use .nt

Therefore ".nt.gov.au" must be regarded as a Top Level Domain like ".com", no matter if it has 3 suffixes, and "www.nt.gov.au" qualifies as a base 2nd level domain just like "informaction.com".

[camputa]

What? Who cares what wikipedia says?

I go to http://www.nt.gov.au and it only shows "Allow http://www.nt.gov.au" in the menu. I go to http://www.pm.gov.au and it shows "Allow pm.gov.au".

This is retarded.

[Giorgio Maone]

What? Who cares what wikipedia says?

I go to http://www.nt.gov.au and it only shows "Allow http://www.nt.gov.au" in the menu. I go to http://www.pm.gov.au and it shows "Allow pm.gov.au".

This is retarded.

To be precise, it shows "www.nt.gov.au" (without the http://).
This is the correct behavior. Please learn what a TLD is.
Showing "nt.gov.au" instead of "www.nt.gov.au" (as you suggest) would be as much retarded as showing "com" instead of "microsoft.com".

[nagan]

There seems to be a genuine complaint in this "I go to http://www.nt.gov.au and it only shows "Allow http://www.nt.gov.au" in the menu. I go to http://www.pm.gov.au and it shows "Allow pm.gov.au".


What merits the prefix for nt.gov.au site and NOT for the next? I have allowed Base 2nd level domains.

[therube]

I guess what merits it is that it is the way it is supposed to be. (And not that I know what is right or wrong.)

Other then that, I guess you can say it is an odd, screwy situation & so you have to decide whether you follow the "rules" or whether you try to alleviate and odd, screwy situation. And if you do the latter, then you'll have to do the same for all the other odd, screwy situations that exist. Not to mention that you could end up breaking other things in the process.

[Alan Baxter]

NoScript 1.9.5.6 with default settings.
I know what a TLD is, but it seems like nt.gov.au is a pretty screwy one. Consider the following valid URL and how NoScript handles it.

Go to http://nt.gov.au. The NoScript menu only offers Allow http://nt.gov.au
If "nt.gov.au" is really a TLD, then isn't http://nt.gov.au/ as stupid as http://com? Strange, but http://nt.gov.au/ does seem to be a valid URL for some reason. Maybe it shouldn't be treated as a TLD after all.
- Left-click the NoScript toolbar icon
Result: nt.gov.au appears in the whitelist. This seems to be inconsistent with the choice previously given in the NoScript menu. (Which now offers Forbid nt.gov.au).

[Giorgio Maone]

What merits the prefix for nt.gov.au site and NOT for the next? I have allowed Base 2nd level domains.

Simple.
From a security standpoint, nt.gov.au has to be considered the TLD for Australian North Territories geographic domain names, (like "us" is the TLD for U.S.A. sites and "co.uk" is the TLD for commercial Britain sites), while pm.gov.au is a 2nd level domain (the site of the prime minister, whose TLD is gov.au).

Regarding the "screwy" part, nt.gov.au is also a domain, technically (therefore http://www.nt.gov.au and nt.gov.au are aliases), but a political decision of the Australian government made it a TLD "de facto", and therefore security savvy browsers (and extensions) try to treat it in the safest way depending on the context: for NoScript, it means discouraging users from allowing it as a whole.

However, the decision of treating it as a TLD rather than a regular domain for security choices is not made by NoScript, but by Firefox (better, by the Mozilla team which collects info about every TLD around to feed the nsIEffectiveTLDService component).
If you don't believe me, try the following on Firefox without NoScript:

1. • Open http://www.pm.gov.au
   • Type the following in the location bar and hit [Enter]:

     Code: Select all

     javascript:try { alert(document.domain = "pm.gov.au") } catch(e) { alert(e) }
     

   • Result: a popup saying "pm.gov.au"
2. • Open http://www.nt.gov.au
   • Type the following in the location bar and hit [Enter]:

     Code: Select all

     javascript:try { alert(document.domain = "nt.gov.au") } catch(e) { alert(e) }
     

   • Result: Illegal document.domain value (NS_ERROR_DOM_BAD_DOCUMENT_DOMAIN)
3. • Open http://twitter.com
   • Type the following in the location bar and hit [Enter]:

     Code: Select all

     javascript:try { alert(document.domain = "com") } catch(e) { alert(e) }
     

   • Result: Illegal document.domain value (NS_ERROR_DOM_BAD_DOCUMENT_DOMAIN)

QED, Firefox (without NoScript) refuses to treat nt.gov.au like a regular domain (pb.gov.au): on the contrary, it treats it exactly the same way as it treats "com" (a TLD).

[dhouwn]

However, the decision of treating it as a TLD rather than a regular domain for security choices is not made by NoScript, but by Firefox (better, by the Mozilla team which collects info about every TLD around to feed the nsIEffectiveTLDService component).

Just wondering and probably a little bit OT, what is "EmulatedTLDService" (part of NoScript) for?

[Giorgio Maone]

Just wondering and probably a little bit OT, what is "EmulatedTLDService" (part of NoScript) for?

It's a fast compatibility layer I implemented to keep supporting Firefox 2.0 and below when I switched to nsIEffectiveTLDService for TLD checks.
You know, NoScript is far older than nsIEffectiveTLDService

[Guest]

QED, Firefox (without NoScript) refuses to treat nt.gov.au like a regular domain (pb.gov.au): on the contrary, it treats it exactly the same way as it treats "com" (a TLD).

OK, thanks for the explanation. I should have realised the problem is Firefox and its retarded "security".

BTW. "TLD" is the wrong term. I don't know the correct term for these things that you (firefox's stupid "security") considers the same class of thing:

.com
.edu.au
.nt.gov.au

But TLD it is not.

And yes, by my logic I would expect microsoft.com to be treated the same as nt.gov.au, which is to say the domains should be treated from the left, not from the right.

[Giorgio Maone]

QED, Firefox (without NoScript) refuses to treat nt.gov.au like a regular domain (pb.gov.au): on the contrary, it treats it exactly the same way as it treats "com" (a TLD).

OK, thanks for the explanation. I should have realised the problem is Firefox and its retarded "security".

Still you failed to explain why this is a "problem", and anyway if it was a problem it comes from Australia and its "retarded" territory assets and domain registration policies, not from Firefox.

"TLD" is the wrong term. I don't know the correct term for these things that you (firefox's stupid "security") considers the same class of thing:

.com
.edu.au
.nt.gov.au

But TLD it is not.

Even according to the very source you're linking, "domain suffixes to be regarded as TLDs when enforcing security policies" is the right term. A synonym is public suffixes:

A "public suffix" is one under which Internet users can directly register names. Some examples of public suffixes are ".com", ".co.uk" and "pvt.k12.wy.us". The Public Suffix List is a list of all known public suffixes.

And yes, by my logic I would expect microsoft.com to be treated the same as nt.gov.au, which is to say the domains should be treated from the left, not from the right.

Your logic is flawed: you're not defining "treated". From the right to the left, you narrow the specificity of the domain designation. For a security decision to be effective, you need to choose a domain which is specific enough not to extend your (trust) decision to a completely unrelated entity. That's why you can't set cookies or NoScript permissions for "com", "co.uk" or "nt.gov.au", but you can for "microsoft.com".

However, if you think "nt.gov.au" doesn't belong to this list, feel free to submit an amendment.

[Grumpy Old Lady]

quoth Giorgio

if it was a problem it comes from Australia and its "retarded" territory assets and domain registration policies, not from Firefox.

More specifically, this approach to geographical id wrt Australian administrative and government domains was overseen by Geoff Huston, an IT scientist, from the very earliest days of Postel delegating the work of assigning names, if I remember correctly, and if you want to go into the logic of it all, his homepage is here
http://www.potaroo.net/index.html

If you want to skip that step, your petition should go to the current administrator of .gov.au here
http://www.finance.gov.au/e-government/ ... ation.html

However, ICAAN is capapble of overriding anything on the net anywhere, and none of its activities have been yet challenged in any court.
Specifically, the Australian experience with the transfer of registrar duties from the volunteers who had very ably administered it, at no cost to anybody, to the big money-making company/ies who leech off it today (woops, I believe my prejudices are showing a little) was effected by ICAAN without even a single piece of documentation. And not an eyelid was batted anywhere in the world.
See Roger Clarke's careful history of internet governance in Australia here
http://www.rogerclarke.com/II/OzI04.html#AGov

Redelegation of a ccTLD requires consensus between old and new registrars, except "where there is misconduct, or violation of the policies set forth in this document and RFC 1591, or persistent, recurring problems with the proper operation of a domain" (IETF 1994). ICANN ignored that requirement, and asserted that it had the authority to re-assign the responsibility for .au, without any consensus having been established, and without so much as a policy document to support its actions (Froomkin 2001).

Fx is doing the logic exactly and correctly.

[camputa]

Still you failed to explain why this is a "problem", and anyway if it was a problem it comes from Australia and its "retarded" territory assets and domain registration policies, not from Firefox.

The problem was explained in the OP. One expects http://www.a.x.y to be treated the same as http://www.b.x.y because they are syntactically equivalent. This complicating "public suffix list" is *magical* information that is changing the interpretation of these, otherwise syntactically equivalent, strings.

The Public Suffix List is an initiative of the Mozilla Foundation.

Funny that.

Regardless, why should a (temporary) javascript whitelist policy have *anything* to do with this ill-conceived "public suffix" list?